Re: [Spasm] CAA erratum 4515
Jacob Hoffman-Andrews <jsha@eff.org> Fri, 17 March 2017 18:09 UTC
Return-Path: <jsha@eff.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08B71124D68 for <spasm@ietfa.amsl.com>; Fri, 17 Mar 2017 11:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.798
X-Spam-Level:
X-Spam-Status: No, score=-9.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.796, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tPY0_zBk6nIw for <spasm@ietfa.amsl.com>; Fri, 17 Mar 2017 11:08:57 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C90C1273E2 for <spasm@ietf.org>; Fri, 17 Mar 2017 11:08:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:Cc:References:To:Subject; bh=L2XQbKiClbTYlIhvjqXIbn9EeFNYVhWT96uxSFSSpZk=; b=qR34UfQdezwIKHLCGQjKb/f8yidtWxPg3r75WqJtTqCIiacys4YnR7E/dMmqTbY8lIB8m9AdG1OG5EjNboTXWd+KfqEziZ29lO/3sXygSI4RZowwI3VGiTjm6lROQuurTMvHBBpZKPYrjhArZB35MC2VMmTIXXOMOBN4bN1yZc8=;
Received: ; Fri, 17 Mar 2017 11:08:58 -0700
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <79cf5707-693e-abf0-9e35-5dcc94a3e877@eff.org> <CAErg=HGT7FyDKgm8cAUojhGDOzLUkn=bw1Xdghbqnxw-79zQiw@mail.gmail.com> <20170311201904.GQ7733@mournblade.imrryr.org> <fede5d8f9f2c43518d8a3c502c60558a@usma1ex-dag1mb1.msg.corp.akamai.com> <389a248f-37e4-9ff7-b330-b840e7c47931@eff.org> <CAErg=HEC=YL-wWEygqtmivN0axZ_cddkM-WDc8RA+jVTJYmVgQ@mail.gmail.com> <0d7afa83-a9d7-f977-ca36-533fc13b720e@eff.org> <CAErg=HF2WnSYtxs6r_svx-zCmt8ApkVsg6R7cezaYO=3WoVKQA@mail.gmail.com> <7129a939-35f1-f55b-703b-9f39f6110520@eff.org> <CAErg=HESLRQU=vg3sOFhBoBas7bBmL-z4ZkeeXOLD+y60OU5NA@mail.gmail.com> <e3384bdd6e5f4529b3b1d8abf7b32b83@usma1ex-dag1mb1.msg.corp.akamai.com> <e2e8e857-51d6-5138-ab66-4f3f4cff1590@eff.org> <CAErg=HF3cDWyufLYPE8sUsNMZei-1yS1Tw1dvpMPC+u67HemQw@mail.gmail.com> <CAMm+LwiAncZeNF9C4n51OGOq0S-1pKy_MOVe5ke9g0zxpSF6cA@mail.gmail.com> <269e5cb2-41f9-2605-759c-2478d816e591@eff.org> <CAMm+Lwh5tnKV=fmyeGjOyNL_LAo5xi=WfUxmoNwOWQ+bP-UjKA@mail.gmail.com>
Cc: Patrick Donahue <pat@cloudflare.com>, Gervase Markham <gerv@mozilla.org>, Ryan Sleevi <ryan-ietf@sleevi.com>, "Salz, Rich" <rsalz@akamai.com>, Peter Bowen <pzb@amzn.com>, "spasm@ietf.org" <spasm@ietf.org>, Rob Stradling <rob.stradling@comodo.com>
From: Jacob Hoffman-Andrews <jsha@eff.org>
Message-ID: <c3030869-06aa-1b3a-0670-8d9edadcf178@eff.org>
Date: Fri, 17 Mar 2017 11:08:55 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <CAMm+Lwh5tnKV=fmyeGjOyNL_LAo5xi=WfUxmoNwOWQ+bP-UjKA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------9E085DE36A377D795D655F1F"
Received-SPF: skipped for local relay
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/YXrWX79iR8bXbg4JIKcEAvW0TDk>
Subject: Re: [Spasm] CAA erratum 4515
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 18:09:01 -0000
On 03/17/2017 07:39 AM, Phillip Hallam-Baker wrote:
> So at this point, does anyone object to the following course of action:
>
> * Amend the CABForum 'clarification' ballot to state that CAs must
> implement RFC 6844 as amended by erratum 4515
>
> * Write new ID to accept the substantive change described in Erratum 4515
>
> * Request publication as a new RFC
>
> Now whether we do this inside or outside the WG is for the chairs and
> AD to consider. I don't think this is currently a WG item. But if we
> have concurrence and there is no real dispute, that probably isn't
> such an issue.
This seems like a reasonable course of action. The only quibble I have
is that, while erratum 4515 is the minimal change to express the
behavior we've agreed to, it leaves the algorithm section overly
detailed in a way that is potentially confusing to readers. I'd like to
propose this version, which relies on the RFC 1034 language for CNAME
resolution in order to clarify the behavior:
----- Proposal -----
Let CAA(X) be the record set returned by performing a CAA record
query on the domain name X, according to the name server lookup
algorithm specified in RFC 1034 section 4.3.2 (in particular including
CNAME responses). Let P(X) be the domain name produced by removing the
leftmost label of X.
- If CAA(X) contains any CAA resource records, R(X) = CAA(X), otherwise
- If P(X) is the root domain '.', then R(X) is empty, otherwise
- R(X) = R(P(X))
----- End proposal -----
For reference, current RFC 6844 with 4515 applied:
Let CAA(X) be the record set returned in response to performing a CAA
record query on the label X, P(X) be the DNS label immediately above
X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
alias record specified at the label X.
o If CAA(X) is not empty, R(X) = CAA (X), otherwise
o If A(X) is not null, and CAA(A(X)) is not empty, then R(X) =
CAA(A(X)), otherwise
o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
o R(X) is empty.
For example, if a certificate is requested for X.Y.Z the issuer will
search for the relevant CAA record set in the following order:
X.Y.Z
Alias (X.Y.Z)
Y.Z
Alias (Y.Z)
Z
Alias (Z)
Return Empty
- [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Patrick Donahue
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Viktor Dukhovni
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Salz, Rich
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Rob Stradling
- Re: [Spasm] CAA erratum 4515 Ryan Sleevi
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews
- Re: [Spasm] CAA erratum 4515 Phillip Hallam-Baker
- Re: [Spasm] CAA erratum 4515 Jacob Hoffman-Andrews